It’s Halloween, and while nothing says FUD like a good vendor press release, the Brute Force Password crack estimator is also good, scary fun. Almost like getting a real candy bar in your sack of candy instead of one of those puny, deceptively-named “fun size” ones.

Now that he’s finally gotten to push the big “publish” button, I’m pleased to welcome my friend and co-worker Bob to Not Bad for a Cubicle.

Bob is one of the people in the world who Just Gets It when it comes to security, risk and technology, especially end points and mobile devices. He’s the source of one of my favorite statements about information and technology, too, which I’ll attempt to paraphrase as, Data seeps into every nook and corner of every device we own.

He’s also famously willing to tell the truth, no matter how much people might not want to hear it. As you can imagine, he’s exactly the sort of person I think we need more of. The sort of person who consistently forces me to expand my own thinking simply by expanding his own.

For example, he recently passed me a draft of a white paper he’s been working on regarding EUC 2.0. My comment to him over Skype was:

I was reading your EUC paper and was simultaneously thinking, “This is awesome!” and “This is scary as hell from an information protection perspective!”

I can’t wait to see what else he puts up here, because EUC 2.0 is something that’s going to happen, whether we want it to or not. By getting risk and security involved in the conversation early on, we at least have a chance to build an environment which both works in an agile, mobile manner and gives us half a chance . Or we can try to hide behind “Personal Device Policies” and other attempts to hold back the future until it’s already around us and we’re once again scrambling to bolt on protection at the device or the non-existent perimeter.

So please join me in welcoming Bob to the Cubicle.

How many times have we laughed at IT design decisions which turn out to have been…less-than-ideal? Well it’s nice to see that we’re not the only ones who do so. Consider the plight of one of my favorite local tourist attractions, the Shedd Aquarium, who are currently dealing with the fact that they didn’t put a drain in a 3 million gallon tank:

As Shedd Aquarium officials prepared to re-line its giant indoor whale and dolphin pools several weeks ago, they were confronted with a problem—there was no drain at the bottom.

In addition, since the three adjoining, connected pools contained salt water, they weren’t sure if it was environmentally safe and permissible to send all 3 million gallons willy nilly into the city sewer system.

How could they overlook such a thing? The easiest way of all–on purpose!

“We checked the architectural plans,” Popovich said Wednesday. “There isn’t a drain at the bottom of the pools, because the system was designed not to drain to avoid any possible leakage.”

When we design systems, we make similar trade-offs. Invariably, some of them come back to bite us later. Unfortunately, especialy in IT, we are all-too-often expected not to make trade-offs, but instead to over-engineer the solution until every possible scenario can be accounted for. This produces complexity, which in turn makes it that much harder to maintain and secure the system, especially over time, when the details of the complexity have been forgotten by the people doing the work.

The Shedd is solving their problems by siphoning the water out into the storm drains. It turns out that snow melt from salted streets is actually more saline than seawater. And also an excellent risk trade-off, given that they do it less than every ten years (it’s been 18 since the tank was originally built and filled).

Sure, they had to solve a problem, which requires having people with brains around, but by waiting until it actually occurred, they avoided the risk that their over-engineered solution would fail in the meantime.

Hello,

My name is Bob; Chandler and I have known each other and worked together for several years. He kindly invited me to be a guest author on the Cubicle. I have been spending a lot of my time in IT Security thinking around alternate computing styles and ways to get the cost out. With the modernization of the Internet, broadband access expansion, and high speed wireless data gives us some interesting new ways to run a business. This is the first in a series and I hope a good discussion around new computing models.

If you still have a small amount of credit in this crazy market you can build and mobilize your business without building big buildings, data centers, or buying lots of new computing hardware. So lets build a business! And buy a few new toys.

If you have an office you have to equip it with Internet access and I would make it wireless. Get the best, it fastest Internet service you can afford. Buy a decent router that has at fast wireless For around $500 get a good double sided color ink-jet printer that has wireless, fax, scanner,etc. You will need one real land line and a REAL phone that does not need batteries. Note that you can maybe save some money and hassle if you set what is called e-fax or electronic fax. (more on this later, there are alternates!)

You need email , the world uses email to do business. For $50 per year per user you can get a Google email account with your own custom domain, web hosting, calendaring, document, storage, and on-line editing. Add a few dollars and Google will provide you advanced features in email controls, filtering, and archiving. Good solid enterprise class tools, storage off of your local computer to keep your data safe and a decent environment to work in.

Now how are you going to access all these fine tools and data? I am a big fan of mobility so I would issue laptop computers and cell phones. But lets be smart about this.

In keeping with the lower cost model (the machine has to have WIFI) lets get a bit lower tier laptop and here is the shocker; run Ubuntu Linux on it. Most of your day to day work will be in Firefox as it works very well with Google. When you need offline access Ubuntu has Open Office and make sure you have the 3.0 version so you are more compatible with all the Microsoft stuff out there. For almost all of your needs you will not need to purchase ANY software! Over time we will talk about applications that will just get the job done for you.

We still need telephones and in today’s world I feel it is important that everyone have a telephone. This is going to cost you a bit of money but the productivity is worth it. With all that nice Google stuff out there you need your email, calendar, and data access on the phone. Well guess what Google got together with some other folks and built a phone operating system called Android and with HTC and T-Mobile made the first Android phone. The phone is good, T-Mobile is getting better all the time so for around $150 for the phone and around $75 per month you have all you need. When you get the phone you sign into your Gmail account and it pulls down your email,contacts, and calendar in just a few seconds.

So now you have the basic end user computing hardware and software you need to operate. No software licensing costs, better performance and best in class communications.

Oh hey maybe a business plan would be cool, but you knew that already. Welcome to Enterprise 2.0 and End User Computing 2.0.

A newspaper article observes an interesting correlating economic indicator:

The nation’s largest employer and retailer is a bellwether for many things, but theft may be its greatest contribution. Due to the sheer size of its stores – coupled with chronic short-staffing and no security staff – Wal-Mart tends to be ground-zero for shoplifting.

The evidence comes from the discarded packaging found in the deeper reaches of the stores. In normal times, shoplifters will grab CDs, DVDs, and smaller electronics items, strip them of packaging in the quieter aisles, then walk through security scanners undetected.

But over the past few months, workers are discovering that even thieves are having a hard go of it during this wretched economy. “Now I’m finding lots of things like food, diapers, tampons, over-the-counter pharmacy stuff like kid’s cough medicine and insulin,” says one employee.

Metrics are often not found where you expect them.

Even having no context for this:

For some reason, I saw this video and immediately wondered if it wasn’t the result of the owner of these dogs decided he’d come home for the last @#$@#$ time to discover that the %#@#$ dog was out of the @#$!!@# cage, he set up the #@%@#$ video camera to find out who the #$@#$@$ keeps letting the dogs out.

Now let’s think about this from a risk perspective.

First, the dogs’ owner probably assumed that the threat was an outsider (another person) letting the dogs out. After all, they’re locked in a cage.

Second, I’d also bet that the owner either was unaware of the vulnerability or had accepted the risk (what’s the likelihood, right?).

Third, no amount of risk management will change the fact that the dog was probably digging up the neighbor’s flower beds or chasing cars down the street when he got home. Even when you believe risk is managed, you still need an incident response plan.

John Robb is much scarier than Halloween when he makes some observations about the global nature of the current economic crisis. It’s too short to excerpt effectively, which means it’s easy enough to just go read it.

Our first real global event will directly impact all economic activity from Botswana to Albany. It’s even more interesting since the impact of this event is occurring simultaneously in all places at once.

This is a very bad thing. Not only is the information globally dispersed, but it is likely to recast world’s economic psychology nearly overnight. Fear, uncertainty, and doubt spread at the speed of light. This has/will cause a substantial decline in demand as people and companies become cautious…

Since there isn’t any stable external environment untouched by the crisis, this may become a uncorrectable and self-reinforcing feedback loop. Also, since most economic statistics have substantial lag, we may not even know it is occurring until we reach the next big tipping point.

Hopefully, the global system isn’t as efficient as we designed it to be.

As one of the folks who spent his career toiling in data centers, conference rooms, airplane seats and, yes, even the occasional cubicle, I see both sides of his argument. Fortunately, I don’t think the system is nearly as efficient as Robb is afraid of. I also think, though, that most people are still in denial about the seriousness of the crisis.

This is a case where the constant media distraction of Britney Spears and Madonna helps out–most people are so clueless about the real state of things that they won’t stop shopping until the money is gone and the credit cards stop working. They don’t understand capital markets, credit derivatives, market and credit risk management. They’ve never heard of Iceland, much less realize that it was a First World nation whose currency just collapsed under the weight of the current crisis–kind’ve a problem when you import pretty much everything.

And even if the captains of industry try to take drastic action, big companies don’t turn on a dime any better than the oil tankers that our economies are so dependent on.

Do I believe that the American standard of living is going to take a big hit? Absolutely. The US, along with Britain, Russia, and most of the countries in between, have all over-spent themselves and the only way to recover from that is to spend less for a while, whether you’re an individual, a family, or even a nation.

It’s not going to be pretty, it’s not going to be fun, but it’s also not going to be the end of the world.

Lawrence Lessig has an excellent essay, “In Defense of Piracy,” in which he argues that current copyright regime has externalities which are damaging the very rule of law itself:

It is time we recognize that we can’t kill this creativity. We can only criminalize it. We can’t stop our kids from using these tools to create, or make them passive. We can only drive it underground, or make them “pirates.” And the question we as a society must focus on is whether this is any good. Our kids live in an age of prohibition, where more and more of what seems to them to be ordinary behavior is against the law. They recognize it as against the law. They see themselves as “criminals.” They begin to get used to the idea.

That recognition is corrosive. It is corrupting of the very idea of the rule of law. And when we reckon the cost of this corruption, any losses of the content industry pale in comparison.

Unfortunately, I couldn’t agree with him more. Lessig is now concerning himself with the challenge of reducing corruption. One key element of that is driving respect for the rule of law. The fact that the “content industry” would sacrifice it in a pointless attempt to maintain their profits (or even their existence) is morally corrupt and a perfect example of putting profit before the common good.

Interestingly, I just took a peek at Pete LIndstrom’s blog, where he’s pondering a similar question, asking, “Should I let my kids lie on the Internet?“:

Or even force them to?

I was at a security conference today and two folks were talking who said they never let their kids fill out any online forms with real information. It’s actually a pretty interesting protection mechanism but I am having a hard time getting past the lying part…

In this case, I believe that the negative lesson that comes from teaching small children that there are cases where it’s OK to lie is, like piracy, corrosive to the larger themes that I want my child to learn. I think that it’s more important to teach children lessons about what constitutes unsafe online behavior than that they must hide their identity at all times. We forget that the reality is that, with a little education and higher brain function, using the Internet is extremely safe. This is a much more productive model to impart to our children or elders than, “Lie about who you are on the Internet. That way they can’t find you to kidnap and kill you,” which is the implicit lesson, and along with the corollary, that no one is who they claim to be on the Internet (phishers, the widows of Nigerian dictators and children of over-protective parents notwithstanding).

So, Pete, to answer your question:
Don’t teach your children to lie on the Internet–or pretty much anywhere else for that matter. They’ll learn it just fine on their own when the time comes. The externality, loss of respect for the truth, is too great a cost to pay. Instead, teach them to mitigate the risk by using their brains. After all, the risk is actually quite low and in reality, when kids do dumb things with people they meet on the Internet, they’re probably going to need to lie to you about what they’re up to and you don’t want them to be too practiced at the skill.

Bob sent me a link to an article about encrypted USB devices.

I just gave it a quick read. It’s strictly a “happy path” assessment, which is good for filtering for usability, but not so much for how much actual security it provides. I haven’t check if any of these products are in Schneier’s “Doghouse,” for example.

I’ve got a personal predilection for TrueCrypt, since it’s cross-platform, both Free-as-in-Beer and Free-as-in-Speech, has been extensively peer-reviewed, and is known to be highly effective. It just lacks “enterprise” capabilities like key recovery/management and forced use via policy, which is both good and bad, since it means that you can’t (silently) control or access someone else’s encrypted data.

I know that there are various other vendors who are providing these features in “enterprise” packages. For example, I believe that BigFix can restrict files to only encrypted USB devices through the removable storage module, but I haven’t looked at it specifically.

I’m not going to write the products off just yet, even if their security turns out to be less than meets the eye, since even bad control can still be better than nothing, but I think we also need to know how much better.

The real unknown is how widespread is the knowledge and tools to bypass poor thumbdrive protections. Right now, for example, it might be fairly low. Eventually, however, the awareness of how to bypass it will become widespread enough as to be ineffective. This is similar to the ease with which older “password protetion” features of, for example, MS Office can be bypassed with tools off the Internet. With Office 2007, Microsoft has raised the bar, using “real” crypto such that the point of attack becomes an attempt to bruteforce the passphrase, but to the casual user, there is no difference between the weaker and stronger implementations.

Regardless, if people perceive that the data on the device is “secure,” then they’re going to be both more likely to put sensitive information on them and less likely to report or worry about them if they get lost. Thus, if the security is not effective, then the residual risk could potentially (though not necessarily) be greater than the inherent risk that the crypto is meant to mitigate.

Unfortunately, that result is a function of psychology, so there’s not much we can do to manage the risk other than avoid it.

Today is the 127th anniversary of the starting of the Great Chicago Fire.

The Great Chicago Fire was a conflagration that burned from Sunday October 8 to early Tuesday October 10, 1871, killing hundreds and destroying about four square miles in Chicago, Illinois. Though the fire was one of the largest U.S. disasters of the 19th century, the rebuilding that began almost immediately spurred Chicago’s development into one of the most populous and economically important American cities.

On the municipal flag of Chicago, the second star commemorates the fire.

While the blaze stopped just over a mile south of where I live today, it left 1/3rd of the city (100,000 people) homeless and destroyed the central business district. It also serves as a reminder that whatever our individual efforts at mitigating risk, there are always going to be risks which are beyond our ability to do anything about but to transfer or accept.